DTrack: the malware that can hack anything, from ATMs to nuclear plants

Network security specialists report that the Nuclear Power Corporation of India (NPCIL), a government-controlled nuclear company, has been the victim of a serious malware infection. Although Indian officials did not explicitly mention the affected facility, they did specify that the infected equipment belongs to one of the administrative areas of the nuclear plant, so it is not related to any critical control system.  

A few days ago, Pukhraj Singh, a cybersecurity expert who has previously worked with the Indian government, stated on his social media that the Kudankulam nuclear plant was under attack; although the authorities initially disregarded these claims, they ended up acknowledging the incident this morning.

Regarding the malware variant used in this attack, network security specialists have identified it as DTrack, a virus linked to the activities of the dangerous Lazarus hacker group, sponsored by the North Korean government. It is apparently an older version of the ATMDTrack malware, used to hack ATMs in India.

Researchers at security firm Kaspersky Lab have identified at least 180 different versions of DTrack malware; these versions do not vary too much from each other, as they all show a similar set of features that include:

  • Keylogging
  • Browsing history collection
  • IP addresses, available networks and active connections collection
  • List of any running process
  • List of any file on all available disk volumes

To deploy the attack, hackers require some level of control over the internal networks of the target organization, so there has to be previous security weaknesses, such as poor password managing, lack of traffic monitoring, among other flaws.

According to expert reports, this malware was designed for its installation at multiple ATMs in order to capture data from victims’ cards. Another version of the malware was recently detected on South Korean banking systems, as well as in some cases of infection of the WannaCry ransomware.

Network security experts first detected Lazarus group activity about 5 years ago during cyberattacks against Sony that resulted in massive leaks of sensitive information. Over time, Lazarus hackers have shown great evolving ability, even compromising the security of more sophisticated IT systems, such as the interbank payment network known as SWIFT.

Multiple researchers have linked the wave of attacks in South Korea and the WannaCry ransomware outbreak to this hacker group, which would have managed to collect more than $2 billion USD for a North Korean mass destruction weapons program.

In the face of recent signs of hacker activity, network security experts from the International Institute of Cyber Security (IICS) recommend system administrators implement protective measures, such as establishing stricter password and network policies, use of traffic monitoring software and use of the most sophisticated antivirus solutions available.